A sophisticated espionage campaign dubbed \u201cFire Ant\u201d demonstrates previously unknown capabilities in compromising VMware virtualization infrastructure.\u00a0<\/p>\n
Since early 2025, this threat actor has systematically targeted VMware ESXi hosts, vCenter servers, and network appliances using hypervisor-level techniques that evade traditional endpoint security solutions.\u00a0<\/p>\n
The campaign exhibits strong technical overlap with the previously identified UNC3886<\/a> threat group, employing critical vulnerabilities and custom malware to maintain persistent, stealthy access to organizational networks.<\/p>\n Sygnia reports<\/a> that Fire Ant\u2019s initial attack vector leverages CVE-2023-34048<\/a>, an out-of-bounds write vulnerability in vCenter Server\u2019s DCERPC protocol implementation that enables unauthenticated remote code execution.\u00a0<\/p>\n Security researchers identified suspicious crashes of the \u2018vmdird\u2019 process on vCenter servers, indicating exploitation of this critical vulnerability.\u00a0<\/p>\n Following successful compromise, the threat actors deploy sophisticated tools, including the open-source script vCenter_GenerateLoginCookie.py, to forge authentication cookies and bypass login mechanisms.<\/p>\n The attackers systematically harvest vpxuser credentials \u2013 system accounts automatically created by vCenter with full administrative privileges over ESXi hosts.\u00a0<\/p>\n This credential theft enables lateral movement across the entire virtualization infrastructure, as vpxuser accounts remain exempt from lockdown mode restrictions.\u00a0<\/p>\n The threat actors also exploit CVE-2023-20867<\/a>, a VMware Tools vulnerability that permits unauthenticated host-to-guest command execution through PowerCLI\u2019s Invoke-VMScript cmdlet.<\/p>\n Fire Ant demonstrates remarkable persistence capabilities through multiple backdoor deployment techniques.\u00a0<\/p>\n The group installs malicious vSphere Installation Bundles (VIBs) with acceptance levels set to \u2018partner\u2019 and deployed using the \u2013force flag to bypass signature validation.\u00a0<\/p>\n These unauthorized VIBs contain configuration files referencing binaries in the \u2018\/bin\u2019 folder and custom scripts embedded in \u2018\/etc\/rc.local.d\/\u2019 for startup execution.<\/p>\n Additionally, the attackers deploy a Python-based HTTP backdoor named autobackup.bin that binds to port 8888 and provides remote command execution capabilities.\u00a0<\/p>\n This malware modifies \u2018\/etc\/rc.local.d\/local.sh\u2019 on ESXi hosts for persistent execution. To further evade detection, Fire Ant terminates the vmsyslogd process, VMware\u2019s native syslog daemon, effectively disabling both local log writing and remote log forwarding.<\/p>\n The threat actors demonstrate sophisticated network manipulation capabilities by compromising F5 load balancers through CVE-2022-1388 exploitation, deploying webshells to \u2018\/usr\/local\/www\/xui\/common\/css\/css.php<\/em>\u2018 for network bridging.\u00a0<\/p>\n They utilize Neo-reGeorg tunneling webshells on internal Java-based web servers and deploy the Medusa rootkit on Linux pivot points for credential harvesting and persistent access.<\/p>\n Fire Ant employs netsh portproxy commands for port forwarding through trusted endpoints<\/a>, effectively bypassing access control lists and firewall restrictions.\u00a0<\/p>\n The group also exploits IPv6 traffic to circumvent IPv4-focused filtering rules, demonstrating a comprehensive understanding of dual-stack network environments and common security gaps in organizational infrastructure.<\/p>\n Organizations must urgently prioritize securing their VMware environments through comprehensive patching, enhanced monitoring of hypervisor activities, and implementation of advanced detection capabilities that extend beyond traditional endpoint security solutions.<\/p>\n Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now<\/a><\/strong><\/p>\n The post Fire Ant Hackers Exploiting Vulnerabilities in VMware ESXi and vCenter to Infiltrate Organizations<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways
<\/mark><\/strong>1. Fire Ant exploits critical VMware ESXi and vCenter flaws for undetected hypervisor-level access.\u00a0
2. Deploys stealth backdoors and disables logging to maintain persistent control.
3. Tunnels via compromised infrastructure to bypass network segmentation and reach isolated assets.<\/pre>\nAdvanced VMware Infrastructure Exploitation Techniques<\/strong><\/h2>\n
Persistence Capabilities and Evasion Methods<\/strong><\/h2>\n
![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXcP0qrCp2UbPzxYPnxz445GjiKtbPOVspJlauWVvqV0wNnnlOvvq455ye3gRNTtxK0lTXNjeVD48bEDN9_Ggpu_x6cTN9UrmUpy_ImCZj2rSAz_sNWPiti4wiRI9eiEYsSEXtuS?key=Kkrw9JNQI8ru6wsj4hoc_g\")